Workaround for Java 8u131 “attempted to open sandboxed jar xxxxx as a Trusted-Library” error

Workaround for Java 8u131 “attempted to open sandboxed jar xxxxx as a Trusted-Library” error

A recent Java update to Java 8 build 131 changed what Java would accept as a “signed” JAR app. Specifically, any JAR signed with an MD5 hash will no longer be considered trusted, as the MD5 hash is now considered to be weak.

This change results in applications refusing to run with an error message like:preloader: Delivering: ErrorEvent[url=https://XXXXX label=attempted to open sandboxed jar https://XXXXX/.jar as a Trusted-Library cause=attempted to open sandboxed jar https://XXXXX/.jar as a Trusted-Library

This occurs when the site delivering the applet is signing it with an MD5 hash. I’ve seen reports of the PulseSecure PCS and Cisco ASA doing this with the HOBsoft HOBlink Java RDP client, meaning that users are unable to securely access systems behind these devices.

Enter your password at the prompt so that you can edit the protected file.
Type “/jdk.jar.disabledAlg” to find the relevant line.

Current Line:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

Change this to:

jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024

(i.e. remove the “MD5,” – use the cursor keys to move to the “MD5,” and press “x” to delete each character)
Save the file by holding down SHIFT and pressing “Z” twice.

Caveat: This workaround is disabling a security measure within Java, so should be considered a risk. However, the risk is only the same as the previous version of Java, and I would assume vendors will eventually update their systems so that they sign Java applets in a secure fashion.

This works with later versions of Java as well. I’ve tried it up to Java 8 Build 161. You do have to repeat the change after each upgrade though as it restores the MD5 text.

Hi Sarah – You’ll need to run that command in Terminal on the Mac.
When editing the file in “vi”, use “x” to delete a character, “i” will let you insert, and the “Esc” key will exit “insert mode”.
Alternatively, use “sudo nano java.security” instead to use the more user friendly “nano” editor.